How To: One Internet connection - Two Private LANs
There are times when having two separate networks - both sharing the same Internet connection - can come in handy. For example, I recently helped a community center with its network setup. They needed to provide Internet connection to tenants who were renting space, in addition to their own shared Internet. They also shared a number of folders on the network, but weren't too careful about password protecting the shares.
Variations and Limitations
Although the example shows one wired and two wireless routers, you can use any combination of router flavors. If you need more private networks, just add more routers, connecting each one's WAN port to an "Internet" router LAN port.
If you use multiple wireless routers, set each one to a different channel (1, 6, or 11 for up to three and 1,4,8 and 11 for four router setups) and use different SSIDs so that clients can tell the LANs apart. To control access, use different WEP keys for each WLAN and you may want to enable MAC address association control too.
Dedicated servers are easy to handle by just connecting them to the "Internet" router and forwarding the appropriate port(s) to the server's IP address. This is also where you would put computers used for file and printer sharing, since they can be reached by computers on either private LAN (but not vice versa). If you don't want to share files from computers connected to the "Internet" router, be sure to disable File and Printer sharing on these machines, or password-protect the shares if you want to do selective sharing.
Everything comes at a price and the trade-off in this setup is the difficulty in handling Internet services where requests originate from machines someplace else on the Internet. Allowing inbound traffic means opening holes in two firewalls, which gets a little tricky due to the way that NAT-based firewalls work.
Depending on the application you're trying to use, you might be successful opening only the ports you need on the "Internet" router and the "LAN" router that connects to the computer that's running the Internet-accessible application. Note that when you configure port forwarding on the "Internet" router, you'll use the WAN IP address of the corresponding "LAN" router because all data that comes out of that router is made to look like it's coming from the WAN IP address - not the IP address of the client itself. The port forwarding rule on the "LAN" router will use the IP address of the specific client machine.
Unfortunately, this "feature" or NAT also means that you can establish port forwarding to only one computer per private LAN because each port forwarding rule must specify a single IP address that the rule applies to. Using the DMZ or "exposed computer" function on the routers doesn't help either, because, again, you can specify only one IP address for the DMZ computer.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
Tom's Guide upgrades your life by helping you decide what products to buy, finding the best deals and showing you how to get the most out of them and solving problems as they arise. Tom's Guide is here to help you accomplish your goals, find great products without the hassle, get the best deals, discover things others don’t want you to know and save time when problems arise. Visit the About Tom's Guide page for more information and to find out how we test products.